Marks & Spencer has confirmed “pockets of restricted availability” throughout a few of its shops following a cyber attack that quickly disrupted elements of its IT methods.
The British retailer has been grappling with the fallout from the cyber incident for over per week, which wiped tens of millions off its market worth.
Here’s what we know so far about the M&S cyber attack.
What happened in the M&S cyber attack?
Marks & Spencer first revealed the cyber attack on Monday, April 21, after customers reported payment issues and delays receiving online orders.
In an email to shoppers, M&S chief executive Stuart Machin wrote: “Over the last few days, M&S has been managing a cyber incident. To protect you and the business, it was necessary to temporarily make some small changes to our store operations, and I am sincerely sorry if you experienced any inconvenience.
“Importantly, our stores remain open, and our website and app are operating as normal. There is no need for you to take any action at this time, and if the situation changes, we will let you know.”
M&S employs about 64,000 people and operates more than 1,400 stores globally
PA Wire
“This is a pretty bad episode of ransomware,” he mentioned.
“It’s a extremely disruptive occasion and a really troublesome one for them to take care of.”
“I might counsel there’s a excessive stage of confidence this can be a ransomware-style occasion,” Dan Card, cyber skilled at BCS, the chartered institute for IT, advised the BBC.
“I describe these as like a digital bomb has gone off. So recovering from them is commonly each technically and logistically difficult… the sufferer organisation is probably going going to be working across the clock to reply and get better.”
Ransomware is a kind of malicious software program that locks or encrypts a sufferer’s information and calls for fee, often in cryptocurrency, to revive entry.
Who was behind the M&S cyber assault?
It mentioned the group was suspected of breaching M&S methods as early as February 2025, allegedly stealing the Home windows area’s NTDS.dit file—a delicate database containing person credentials. They’re additionally believed to have used ransomware to encrypt elements of M&S’s infrastructure.
Additionally referred to as UNC3944, Octo Tempest or Muddled Libra, Scattered Spider is reportedly recognized for using superior social engineering ways, together with phishing and multi-factor authentication (MFA) fatigue assaults, to infiltrate massive organisations.
Phishing tips customers into revealing delicate info, whereas MFA fatigue entails bombarding customers with repeated login requests in hopes they’ll approve one out of frustration or confusion.
Hackers from the famend Scattered Spider group have been reportedly behind the M&S cyber assault
Alamy/PA
“Scattered Spider is among the most harmful and energetic hacking teams we’re monitoring,” Graeme Stewart, the pinnacle of public sector at safety firm Verify Level, told Sky News.
“Since they first appeared in 2022, they have been linked to more than 100 targeted attacks across industries such as telecoms, finance, retail and gaming.”
BleepingComputer reported that DragonForce ransomware was deployed to VMware ESXi hosts on April 24 to encrypt digital machines. The group reportedly gained entry to M&S methods and remained undetected for weeks.
Scattered Spider reportedly includes younger hackers, some as younger as 16, who frequent hacker boards, Telegram channels, and Discord servers. Some members are additionally believed to be linked to the “Com”, a loosely affiliated group recognized for cyber and real-world legal exercise that has drawn media attention.
What impact has the cyber attack had on M&S?
Nayna McIntosh, a former M&S executive and founder of Hope Fashion, said the decision to halt online orders was comparable to “cutting off a limb.”
Susannah Streeter, head of money and markets at Hargreaves Lansdown, mentioned the pause on on-line orders could be “vastly damaging for gross sales”.
“Trend gross sales are prone to take an enormous hit, notably because the assault has come through the spell of warm weather when summer season ranges would ordinarily be piling up in digital baskets,” she added. “Whereas different retailers haven’t been proof against IT breaches, the depth of Marks and Spencer’s issues in resolving the problem are worrying, and it might take a while to win again some warier buyers.”
Shares fell 2.2 per cent to 377.3p on Monday morning after greater than £700 million was wiped from the corporate’s market worth because the cyber assault.
